Work with Vulnerabilities
Vulnerabilities are aspects of your app that can make it susceptible to attackers. Within each organization, app, and scan-level vulnerability you can view information about the vulnerability and replay the attack so that you can learn how to remediate it and improve the security of your application. You can leave comments on vulnerabilities to help you and others better understand and remediate the vulnerability.
To help you determine the priority of a vulnerability, the following information is available for each vulnerability:
- Filter vulnerabilities
- Vulnerability information
- Attack Information
- Attack Variance
- Discovery history
- Change History
To help you test vulnerability fixes, you can replay an attack.
Filtering helps you find vulnerabilities based on your criteria. In addition to creating and saving unique filters, we provided several quick filters based on vulnerability statuses and the New filter that shows the number of vulnerabilities found in the most recent scan. In the search results, you can sort by the last time a vulnerability was found using the Last Discovered date.
Use search filters to choose the attributes of the assets you want to find. The more filters you add, the more refined your results are. To see only the vulnerabilities that meet all of the filter criteria, combine filters using the AND operator. Use the OR operator to show all vulnerabilities that meet any of the filter criteria.
A filter compares certain properties of vulnerabilities to a value or regular expression using one of the following operators:
- = (equals)
- != (does not equal)
- does not contain
- starts with
- ends with
- Like (regular expression)
- is null
- is not null
A circle on the left side of the filters indicates whether the expression in the field is allowed. If the circle is red in color, the filter is incomplete or incorrect.
Create and save a filter
You can filter vulnerabilities within an organization on the All Vulnerabilities page, vulnerabilities in a specific app on the Vulnerabilities tab, and vulnerabilities in a scan on the Scans tab.
- Go to the Vulnerabilities page, tab, or Scans tab where the vulnerabilities you want to filter are.
- In the search query bar, enter the expression for the filter.
- Click Apply to view search results.
- Click Save to be able to reuse the filter.
Filter: Vulnerabilities Found During Mapping
To view any vulnerabilities found during the updated vulnerability mapping process, copy the following query into the query bar and update with your criteria.
vulnerability.discoveries.discovered BETWEEN 6/23/2020 AND 6/24/2020 AND vulnerability.status = “Unreviewed”
App permissions required
Users must have access to the app where the vulnerability was discovered to view the vulnerability details.
Each vulnerability provides general details about the following:
- Module Type - The name of the attack used, for example SQL Injection.
- Severity - InsightAppSec provides two ways to prioritize vulnerabilities by severity:
- CVSS v3.1 severity, a numerical value (0-10) and associated vector string calculated using the CVSS calculator for principal characteristics of a vulnerability. For more information on CVSS scores, vector strings, and calculations, check out the CVSS specification document.
- Severity level assigned to the type of vulnerability, which can either be the default module severity or the selected severity from a custom attack module. Click to expand the details for any of the following severity levels:
HighHigh severity vulnerabilities may lead to attackers gaining complete control of the application as well as its data, trust, privacy, and/or availability. Immediate action is recommended to prevent a potentially catastrophic attack, as high severity vulnerabilities are often exploited by automated tools that do not depend upon user interaction.
MediumMedium severity vulnerabilities may lead to attackers gaining partial control of the application as well as its data, trust, privacy, and/or availability. Deficiencies and errors in the application configuration are typically how these vulnerabilities are exploited. Although these types of attack require more effort and skill from the attacker, a successful breach can still have a major negative impact.
LowLow severity vulnerabilities may lead to attackers gaining intelligence in preparation for an attack. For these attacks to be successful, several areas of vulnerability such as user error, poor authentication methods, and related vulnerabilities need to be aligned. Any data collected may seem harmless but could be used to facilitate a larger attack.
InfoThese findings are simply the information we discovered about the application components and configuration. This data could be potentially useful to an attacker collecting information but has no direct impact on vulnerability exploitation.
Why are there two severity scores?The benefit of two scores is that you can compare the score in InsightAppSec to the CVSS score. You can edit the Severity score of Info, Low, Medium, and High that is generated by InsightAppSec, but not the CVSS score generated by the CVSS 3.1 calculator. The CVSS score may show a different severity level than the Severity score due to scan configuration or user adjustment during verification. For example, a user reviews a vulnerability with high CVSS and Severity scores and determines that because the app is isolated, the risk is actually low. For significant severity score differences, review the vulnerability history and details to verify the correct level.
- Vulnerability status - The status helps you plan your workflow and prioritize your tasks.
- Detection - When the vulnerability was first and most recently discovered, as well as how many times it was detected.
- General information - A link to the app where the vulnerability was found, a unique hexadecimal ID for the instance, and an indicator of whether this instance of the vulnerability was exported to Jira.
- Root cause - The URL of the web resource where the vulnerability was found and the HTTP request parameter and method that was used for the attack.
Copy Vulnerability Link
Use the Copy Vulnerability Link button to copy and share the link to the vulnerability information. You can share this link with anyone, however only users with valid login credentials for InsightAppSec will be able to see it.
You can view details about the vulnerability and recommendations on how to solve it in the Attack Information section. You will also find links to references from industry-standard councils such as NIST, OWASP, and DISA, which you can use to gather more information about the vulnerability.
InsightAppSec can attempt multiple variations of the same attack on a URL to ensure the security of your applications against a variety of attacks. For example, you may have protected your application against some special characters in web forms, but not others. The Attack Variances section contains multiple tabs for each variation of an attack attempted by InsightAppSec.
Attack variance includes information about the following:
- Traffic snapshot
- Original. The original, non-malicious value of the parameter, which is used to observe normal behavior of the app.
- Traffic snapshot
- System error message
- In-depth description
In addition to viewing attack variance information and snapshots, you can replay the attack.
You can replay the attack using the Rapid7 AppSec Plugin for Chrome browsers. Replaying the attack provides a view of how the attack was made so you can add that behavior to a scan.
You might replay an attack:
- To understand the attack traffic being sent to the app
- To monitor for that type of attack in real-time
- To test whether a fix has been effective
Use case: Test an attack fix
In one of your apps, a vulnerability showed the attack information. You want to understand the attack, fix the issue, and ensure it works before closing the vulnerability.
- In the active vulnerability, click Replay Attack.
- Review the attack to better understand the attack traffic being sent to the app.
- Implement a fix. For example, change how the app responds to the attack traffic.
- Go back to the active vulnerability and replay the attack.
- Repeat until the fix works against the attack.
Your fix successfully stopped the attack.
This table shows a list of all the scans where this vulnerability has been found in your environment.
When was the vulnerability last found?
If a vulnerability was last discovered in a scan over 6 months ago, the vulnerability may have been resolved. Test the vulnerability to determine if it’s still active.
The Change History shows the time a status update or severity change was made on a vulnerability, the event, and which user made the change.
Comments are a great way to add notes to yourself, communicate your comments to anyone else who is looking at the vulnerability, and learn about any previous discoveries about the vulnerability.
Admins can add, edit, and delete any comments. Users with read-write access to the app can add comments and edit and delete their own comments. Users with read-only access to the app can view comments.